25. Internationale ILIAS-Konferenz

Jetzt Tickets sichern / Order Tickets now!

Feature Wiki

Information about planned and released features

Tabs

Activity I/O Validation Schemas (Phase 4)

Page Overview

[Hide]

< Phase 1

< Phase 2

< Phase 3

If you need any help in filling out this wiki page, please visit our ILIAS Community FAQ. And please complete the metadata information in the right column after having created the page.

Building on the foundations laid in the previous phases, this fourth phase focuses on solidifying the integration between the ApiGateway component and the Activity mechanism in ILIAS. It leverages Activities' existing capabilities to automate and separate processes that are not directly related to business logic. This phase is considered the final step towards a complete and official ILIAS REST API webservice.

1 Initial Problem

In the current state of the REST API, there is no standardized way for clients to know what data should be submitted to an endpoint or what the structure of the response will be. Because these requirements are currently unknown to the system at a structural level, they cannot be communicated or enforced automatically.

This lack of standardization forces each Activity to manually implement its own validation and error handling.

Activities represent specific actions a user can perform in ILIAS, such as "Create a Course" or "Get Member List". They act as a central bridge that connects the REST API to the system's core logic. An Activity handles a complete process, including checking permissions and processing data, in a single place.

This makes them "universal," meaning the same logic can be used by the web interface, the API, or automated workflows. They usually either perform an action that changes the system (Commands) or simply fetch information (Queries). More details on the technical design can be found in the Activities README.

In Phase 4, the reliance on manual implementation within these Activities leads to several issues and significantly higher development effort:

  • Increased Boilerplate Code: Developers must write repetitive, manual validation code for every individual Activity.
  • Inconsistent Error Handling: Without a centralized mechanism, error responses for similar issues can vary across different endpoints.
  • Poor Developer Experience: API consumers have to inspect the implementation of an Activity to understand its expected input and output, slowing down development and integration.
  • Lack of Automatic Documentation: The absence of a machine-readable schema makes it difficult to generate up-to-date API documentation automatically.

2 Conceptual Summary

To address these problems, Phase 4 introduces a schema-driven approach to input and output validation. By enabling the ApiGateway to process the information provided by the getInputDescription() and getOutputDescription() methods of an Activity, we move from manual implementation to automated enforcement.

This transition dramatically reduces development effort and makes the interface significantly easier to use for both maintainers and consumers through the following automations:

  • Automated Input Validation (Solving Boilerplate & Inconsistency): The ApiGateway will automatically validate incoming requests against the schema defined by the Activity, checking for required parameters, correct data types, and other constraints. This eliminates the need for manual validation within each Activity.
  • Automated Output Transformation (Solving Boilerplate & Inconsistency): The response payload from an Activity's perform() method (whether it's an associative array or an ILIAS\Data\Result object) will be automatically transformed to match its defined output schema. This ensures that data types are strictly enforced (e.g., ensuring numeric values are returned as integers rather than strings) and guarantees a consistent response structure without manual formatting code.
  • Enhanced OpenAPI Schema Generation (Solving Developer Experience & Documentation): The input and output schemas defined in Activities will be used to generate a comprehensive OpenAPI (Swagger) specification automatically. This provides consumers with clear, machine-readable documentation, enabling them to understand and integrate with the API immediately without trial-and-error.

3 3 User Interface Modifications

3.1 3.1 List of Affected Views

  • No foreseeable view modifications.

3.2 User Interface Details

  • No foreseeable UI modifications.

3.3 New User Interface Concepts

  • No foreseeable UI new additions.

3.4 Accessibility Implications

  • No foreseeable accessibility modifications.

4 Additional Information

4.1 Involved Authorities

4.2 Technical Aspects

4.2.1 4.2.1 Architectural Modifications

The core of this phase is the introduction of a more formal contract between the ApiGateway and the Activities.

  • Routing\Action Interface: The Routing\Action interface will be extended with methods like getName(), getDescription(), getInput(), and getOutput(). These methods will provide the necessary metadata for the ApiGateway to handle schema validation and documentation generation. The Activity\ActivityAction and Routes\ApiRoute classes will be updated to implement this extended interface.
  • Delegated Validation: The Activity\ActivityAction::validate() method will no longer contain custom validation logic. Instead, it will delegate the validation to a specialized validator within the ApiGateway Activity sub-module. This validator will compare the incoming request data against the input schema provided by Activity::getInputDescription().
  • Typed Responses: The Activity\ActivityAction::__invoke() method will ensure that the response payload from Activity::perform() is correctly typed according to the output schema.

4.3 Privacy

The API will only provide a layer on top of the existing ILIAS components. There is no direct manipulation of user data.

4.4 Security

As in the previous phases, adding new endpoints inherently increases the attack surface, introducing risks such as injection attacks and unauthorized access.

To mitigate these, users should embed security into the component's building blocks by:

  • Applying strict input validation and sanitization to prevent injection & related attacks.
  • Using prepared statements with parameterized queries (ALWAYS)
  • Enforcing strict authorization checks on each new endpoint.
  • Using HTTPS to secure data in transit.
  • Conducting thorough security testing and audits to identify and resolve vulnerabilities before launch.

4.5 Contact

This feature is developed by Minervis GmbH.

4.6 Funding

Funding status and funding parties are listed in the block 'Status of Feature' in the right column of this page.

If you are interested to give funding for this feature, please get into contact with the person mentioned above as 'Contact'.

5 Discussion

JourFixe, ILIAS [jourfixe], ...

6 Implementation

The feature has been implemented by Hamouda, Ahmed [ahamouda].

6.1 Description and Screenshots

{ Description of the final implementation and screenshots if possible. }

6.2 Test Cases

Test cases completed at {date} by {user}

  • {Test case number linked to Testrail} : {test case title}

6.3 Privacy

Information in privacy.md of component: updated at {date} by {user} | no change required

6.4 Approval

Approved at {date} by {user}.

Full Screen

Last edited: 10. Mar 2026, 13:45, Hamouda, Ahmed [ahamouda]